Question 1

What is a server timing attack?

Accepted Answer

A timing attack is a side-channel attack where an attacker measures the time a server takes to process different inputs. If string comparisons or cryptographic operations take variable time depending on input correctness, an attacker can deduce secret values character by character. For example, a naive password comparison that returns early on the first mismatched character leaks information about how many characters are correct.

Question 2

How do I defend against timing attacks?

Accepted Answer

Use constant-time comparison functions for all secret comparisons — such as crypto.timingSafeEqual in Node.js or hmac.compare_digest in Python. These functions always take the same amount of time regardless of input. Add rate limiting to slow down enumeration attempts. Avoid returning different error messages for different failure reasons. Use HMAC-based token verification instead of direct string comparison for API keys and tokens.

Server Timing Attack

Challenges

Frequently Asked Questions